[SYSS-2019-002] Blue Prism Robotic Process Automation (RPA) -- Privilege Escalation

From: benjamin.hess@syss.de
To: bugtraq@securityfocus.com
Cc:
Subject: [SYSS-2019-002] Blue Prism Robotic Process Automation (RPA) -- Privilege Escalation
Date:


------------------------------------------------------------------------
SySS Security Advisory: Blue Prism Robotic Process Automation (RPA) - Privilege Escalation
------------------------------------------------------------------------

Advisory ID: SYSS-2019-002 
Product: Blue Prism Robotic Process Automation (RPA)
Manufacturer: Blue Prism
Affected Version(s): Before 6.5.0.12573
Tested Version(s): 6.4.0.8445, Before 6.5.0.12573
Vulnerability Type: Improper Access Control (CWE-284) 
Risk Level: High
Solution Status: Fixed
Manufacturer Notification: 2019-02-01
Solution Date: Around 2019-05-10 
Public Disclosure: 2019-05-22
CVE Reference: CVE-2019-11875
Author of Advisory: Benjamin Hess, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Blue Prism is an RPA platform that enables companies to manage and 
deploy their digital workforce composed of software robots. 

The manufacturer describes the product as follows (see [1]):

"Blue Prism Digital Workers have Intelligent Automation Skills that make
it easier than ever for organizations to leverage technologies that
deliver true operational agility."

Due to a missing permission check for certain actions on the server side
the software is vulnerable to privilege escalation.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

A vulnerability in the access control of the software can be exploited 
to escalate privileges. The vulnerability allows for abusing the
application for fraud or unauthorized access to certain information. 

The attack requires a valid user account to connect to the Blue Prism
server, but the roles associated to this account are not required to 
have any permissions.
First of all, the application files are modified to grant full 
permissions on the client side.
In a test environment (or his own instance of the software) an attacker
is able to grant himself full privileges also on the server side.
He can then, for instance, create a process with malicious behavior and 
export it to disk.
With the modified client, it is possible to import the exported file as 
a release and overwrite any existing process in the database.
Eventually, the bots execute the malicious process.

The server does not check the user's permissions for the aforementioned
actions, such that a modification of the client software enables this
kind of attack.

Possible scenarios may involve changing bank accounts or setting 
passwords.




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the tool dnSpy [2] the "AutomateAppCore.dll" can be decompiled and
modified. The namespace "BluePrism.AutomateAppCore.Auth" contains the 
class "User". The body of the member function with prototype

public bool HasPermission(ICollection<Permission> perms)

needs to be changed to:

return true;

After compiling the modified assembly and replacing the original library
file, the client grants access to all menus and buttons regardless of
the role of the logged in user.

One can now start the software and sign in to the desired target.
It is then possible to open the tab "Releases", where one may create new
packages or modify existing ones, create new releases or import a 
release from disk.

By performing a right-click in the tree with the releases, one can 
choose "Import release" and select the corresponding file on disk.
If the file contains a process from the current database that was 
modified in a malicious way, the process in the database is overwritten.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer fixed the vulnerability in version 6.5.0.12573.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-01-30: Vulnerability discovered
2019-02-01: Vulnerability reported to manufacturer
2019-05-10: It was found that the bug was fixed by the manufacturer
2019-05-15: Manufacturer confirmed affected versions
2019-05-22: Public release of the security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Blue Prism Robotic Process Automation
    https://www.blueprism.com/product
[2] dnSpy debugger and .NET assembly editor
    https://github.com/0xd4d/dnSpy
[3] SySS Security Advisory SYSS-2019-002
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-002.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Benjamin Hess of SySS GmbH.

E-Mail: benjamin.hess@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Benjamin_Hess.asc
Key ID: 0x1331325C
Key Fingerprint: D73C 3C3D 746C 66C3 D0AE BED8 7FD5 638E 1331 325C 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.